b'              OFFICE OF\n              INSPECTOR\n              GENERAL\n              UNITED STATES POSTAL SERVICE\n\n\n\n\n    Engineering Systems and Network\n   Operations Disaster Recovery Plan \xe2\x80\x93\n\n\n                       Audit Report\n\n\n\n\n                                         September 24, 2013\n\nReport Number IT-AR-13-007\n\x0c                                                                     September 24, 2013\n\n                                                 Engineering Systems and Network\n                                               Operations Disaster Recovery Plan \xe2\x80\x93\n\n\n                                                           Report Number IT-AR-13-007\n\n\nBACKGROUND:\nU.S. Postal Service policy requires           listed alternative sites in case of a\nmanagement to develop and test                disaster; however, no plan exists that\ndisaster recovery plans (DRPs) and            describes how those sites would\nperform business or infrastructure            become operational in a disaster. The\nimpact assessments for all applications.      primary alternative site is on the\nThese plans assist in relocating and                               and could be\nrestoring applications at an alternative      impacted by the same disaster.\nlocation following a disaster. The            Management believed their recovery\nalternative location should be far            procedures for the primary site were a\nenough from the main site so it is not        viable DRP. Without a plan and testing,\naffected by the same disaster. The            Postal Service operations and its brand\nimpact assessments assist                     \xe2\x80\x94 valued at about $102.4 million \xe2\x80\x94 are\nmanagement in prioritizing the site\'s         at risk.\ndisaster recovery strategies.\n                                              Further, business or infrastructure\nIn addition, the Continuity of Operations     impact assessments were not\nPlan provides for sustaining mission          completed or updated for 57 of the 71\nessential functions at an alternative site.   supported applications. Without placing\nManagement supports 71 applications           a priority on completing these\nat the                         and at sites   assessments, management would not\nnationwide.                                   be able to develop an effective DRP. As\n                                              a result of our audit, management\nOur objective was to determine whether        created or updated 24 of 71\nthe                    has a DRP and          assessments and developed an action\nwhether the plan complies with Postal         plan to complete the remaining 33\nService policies, industry standards, and     assessments.\nbest practices.\n                                              WHAT THE OIG RECOMMENDED:\nWHAT THE OIG FOUND:                           We recommended management create\nEngineering Systems and Network               and test a DRP at an alternative site that\nOperations management did not                 is a sufficient distance from the\nestablish or periodically test a DRP for                           so that it will not be\nthe          that prioritized the             affected by the same disaster and to\napplications that should be restored or       complete impact assessments for the\ndescribed how those prioritized               supported applications.\napplications could be restored. An\noutdated Continuity of Operations Plan        Link to review the entire report\n\x0cSeptember 24, 2013\n\nMEMORANDUM FOR:            MICHAEL J. AMATO\n                           VICE PRESIDENT, ENGINEERING SYSTEMS\n\n                           DAVID E. WILLIAMS, JR.\n                           VICE PRESIDENT, NETWORK OPERATIONS\n\n\n\n\nFROM:                      John E. Cihota\n                           Deputy Assistant Inspector General\n                            for Financial and Systems Accountability\n\nSUBJECT:                   Audit Report \xe2\x80\x93 Engineering Systems and Network\n                           Operations Disaster Recovery Plan \xe2\x80\x93\n                           (Report Number IT-AR-13-007)\n\nThis report presents the results of our audit of the Engineering Systems and Network\nOperations Disaster Recovery Plan at the                           (Project Number\n13BG002IT000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Paul Kuennen, director,\nInformation Technology, or me at 703-248-2100.\n\nAttachment\n\ncc: Corporate Audit and Response Management\n\x0cEngineering Systems and Network Operations                                                                                 IT-AR-13-007\n Disaster Recovery Plan -\n\n\n\n                                                    TABLE OF CONTENTS\n\nIntroduction.................................................................................................................................... 1\n\nConclusion ..................................................................................................................................... 2\n\nPreparation and Testing of Disaster Recovery Plans ............................................................. 2\n\nBusiness and Infrastructure Impact Assessments .................................................................. 3\n\nCorrective Actions Taken ............................................................................................................ 4\n\nRecommendations ....................................................................................................................... 4\n\nManagement\xe2\x80\x99s Comments .......................................................................................................... 4\n\nEvaluation of Management\xe2\x80\x99s Comments.................................................................................. 5\n\nAppendix A: Additional Information ........................................................................................... 6\n\n   Background ............................................................................................................................... 6\n\n   Objective, Scope, and Methodology ..................................................................................... 6\n\n   Prior Audit Coverage ............................................................................................................... 7\n\nAppendix B: Other Impact ........................................................................................................... 8\n\nAppendix C: Applications Hosted at the                                                          ................................................ 11\n\nAppendix D: Impact Assessments Completed for Engineering -Supported Applications 12\n\nAppendix E: Impact Assessments Not Completed ............................................................... 14\n\nAppendix F: Impact Assessments Requiring Update ........................................................... 16\n\nAppendix G: Management\'s Comments ................................................................................. 17\n\x0cEngineering Systems and Network Operations                                                      IT-AR-13-007\n Disaster Recovery Plan -\n\n\n\nIntroduction\n\nThis report presents the results of our self-initiated audit of the Engineering Systems\nand Network Operations Disaster Recovery Plan (DRP) \xe2\x80\x93\n(Project Number 13BG002IT000). Our objective was to determine whether Engineering\nSystems and Network Operations at the                           has a DRP and whether the\nDRP complies with U.S. Postal Service policy, industry standards,2 and best practices.3\nSee Appendix A for additional information about this audit.\n\nPostal Service policy requires all major information technology (IT) sites and\norganizations that use or support information resources 4 in the Postal Service to\ndevelop a DRP. The DRP identifies key personnel and priority procedures for relocating\ninformation systems operations to an alternative location following a major system\ndisruption with long-term effects. A DRP is also an information system-focused plan for\nrestoring the target system, applications, or computer facility infrastructure at an\nalternative site after a disaster. Best practices5 and industry standards6 suggest the\nalternative site be located far enough away from the primary site to reduce the likelihood\nof being affected by the same disaster. In addition, routine DRP testing helps assure an\norderly transition to the alternative site. Postal Service policy tasks the installation head\nwith developing, maintaining, and testing the DRP.\n\nA Continuity of Operations Plan (COOP) provides guidance for sustaining an\norganization\xe2\x80\x99s mission essential functions at an alternative site and performing those\nfunctions for up to 30 days before returning to normal operations. The most recent\nCOOP, prepared in 2010, lists\n\n                                                           .\n\nFinally, Postal Service policy requires infrastructure impact assessments (IIAs) and\nbusiness impact assessments (BIAs) to complete a DRP; determine the sensitivity7 and\ncriticality8 of information infrastructure and applications, respectively; determine the\nappropriate security requirements needed to protect the resource; and assist\nmanagement in prioritizing the recovery of these vital resources at the alternative site.\nDRP documentation is required for each application.\n\n\n1\n2\n  A mandatory requirement, code of practice or specification approved by a re cognized external standards\norganization.\n3\n  A proven activity or process that has been successfully used by multiple enterprises.\n4\n  All Postal Service information assets, including information systems, hardware, software, data, applications,\ntelecommunications networks, computer-controlled mail processing equipment, and related resources and the\ninformation they contain.\n5\n  Gartner, G00155016, Toolkit Decision Framework: Best Data Center Locations for Disaster Recovery, dated\nMarch 2008.\n6\n  National Institute of Standards and Technology (NIST) Special Publication 800-34 Rev. 1, Contingency Planning\nGuide for Federal Information Systems, Section 3.4.3, dated May 2010.\n7\n  Sensitivity determines the need to protect the confidentiality and integrity of the information.\n8\n  Criticality determines the need for continuous availability of the information.\n                                                             1\n\x0cEngineering Systems and Network Operations                                                          IT-AR-13-007\n Disaster Recovery Plan -\n\n\nEngineering Systems and Network Operations at the                       are system\nsponsors for 71 applications, 16 of which are at the                  as noted in\nAppendix C, Table 1. The remaining 55 applications reside at other field units such as\n\n                                                                                                     .\n\nConclusion\n\nEngineering Systems and Network Operations\' management did not have a DRP for the\n                     or the planning documents to restore those specific applications on\nthe           in the event of a disaster. Management also did not prepare BIAs or IIAs for\n10 of the 16 applications at the           and six of the 55 applications hosted at other\ninstallations. For example, management did not create an IIA or a DRP for the Remote\nComputer Reader to determine how, when or even if the application should be\nrecovered at an alternative site. Furthermore, BIAs or IIAs for 17 applications must be\nupdated.9 Without a BIA or IIA or timely recertification,10 an effective DRP for the\n                     cannot be developed. Without a DRP, a catastrophic event could\nplace Postal Service operations, brand, and services \xe2\x80\x94 valued at about $102.4 million\n\xe2\x80\x94 at risk.11\n\nPreparation and Testing of Disaster Recovery Plans\n\nEngineering Systems and Network Operations management did not have a DRP for the\n                   that prioritized the applications that should be restored or a viable\ndisaster recovery testing program.12 Additionally, management did not have all the\nplanning documents that describe how to restore those prioritized applications at the\n                  . Finally, management did not have DRPs describing how the\nsecondary alternative site in                as described in the COOP, would become\noperational. Postal Service policy13 requires management to prepare a DRP for all\napplications and base testing frequency on the level of criticality.\n\nA facility security report14 prepared in 2011 for the U.S. Postal Inspection Service\nreported completion of facility recovery plans, workgroup recovery plans, and\napplication DRP. However, the IT Artifacts Library15 and the Enterprise Information\nRepository (EIR) showed that no DRPs were completed for applications at\nThis occurred because management believed their recovery and back-up procedures\nfor the primary COOP site constituted a viable DRP. While these procedures may\n\n9\n  As a result of our audit, management created or updated 24 assessments.\n10\n   Handbook AS-805, Information Security, Section 3.3-1, dated May 2013, states, "The BIA must be updated\nperiodically as required (every 1, 3, or 5 years depending on its sensitivity designation), whenever a significant\nchange is made to the information resource, or whenever the certification and accreditation (C&A) process is re -\ninitiated."\n11\n   IT assets are at risk of disruption longer than necessary because a DRP (and all its supporting BIAs and IIAs) has\nnot been developed and tested.\n12\n   Because a DRP did not exist, the U.S. Postal Service Office of Inspector General (OIG) could not perform testing.\n13\n   Handbook AS-805, Section 12.5.\n14\n   2011 Vulnerab ility Risk Assessment Tool (VRAT) prepared for Engineering.\n15\n   A document repository that contains finalized project deliverables for all technology solutions.\n                                                             2\n\x0cEngineering Systems and Network Operations                                                           IT-AR-13-007\n Disaster Recovery Plan -\n\n\nprotect against data loss in non-disaster conditions, they alone should not be\nconsidered a viable DRP.\n\nAccording to the EIR,16 management performed recovery testing for one of the 16\napplications, the Electronic Maintenance Activity Reporting and Scheduling (eMARS)\nsystem,17 in 2009. See Appendix C, Table 1 for a listing of the 16 applications at the\n                  .\n\nDuring our review, management developed recovery and backup procedures\n                                             as a primary alternative site. However,\nthis                                            and could be impacted by the same\ndisaster.\n\nInsufficient disaster recovery planning that does not include moving systems and\napplication recovery to an alternative location outside of the                   and\ntesting the DRP commensurate with the criticality and sensitivity of the application\nplaces the Postal Service\'s operations, brand, and services at risk. Our analysis\nestimates the risk to be about $102.4 million. See Appendix B for details on the\ncalculation of other impact.\n\nBusiness and Infrastructure Impact Assessments\n\nSystem sponsors19 within Engineering Systems and Network Operations did not always\nensure completion of BIAs or IIAs for their respective applications. These sponsors\nmust complete the EIR registration; request Corporate Information Security Office\n(CISO) collaboration in completing the impact assessments; and document application\ncharacteristics such as production environment, high-level network architectural\ndiagrams, and sensitive data elements needed to proceed with the impact assessment.\nManagement did not prepare BIAs or IIAs for 10 of 16 applications at the\n          and for six of the 55 Engineering-supported applications at other locations.\nAppendix C, Table 1 identifies the 16 resident applications; Appendix E, Table 3\nidentifies the status of the 10 resident applications for which an assessment has not\nbeen prepared; and Appendix E, Table 4 identifies the status of the six non-resident\napplications for which an assessment has not been prepared. In addition, management\ndid not timely update 17 applications at             and other locations as shown in\nAppendix F, Table 5. See Appendix D, Table 2 for a listing of 38 completed BIAs.\n\nPostal Service policy requires management to prepare a BIA or IIA for all applications to\ndetermine the level of sensitivity and criticality and the information security requirements\nto assist management in prioritizing the recovery of IT services. Management, however,\ndid not set the proper priority to complete the required BIAs or IIAs and did not stress\n\n16\n   The Postal Service\xe2\x80\x99s database of record that maintains information about existing Postal Service applications,\ntoolsets, and data.\n17\n   eMARS provides inventory management for parts and labor for all plants , as well as reporting and alert capabilities\nrelated to inventory management.\n18\n   For the eMARS system.\n19\n   Business managers with oversight (funding, development, production, and maintenance) of the applications.\n                                                          3\n\x0cEngineering Systems and Network Operations                                                            IT-AR-13-007\n Disaster Recovery Plan -\n\n\ntheir importance. Without initial or updated BIAs or IIAs for applications, management\nwould be significantly hampered in developing an effective DRP for continuing\noperations of critical applications at an alternative recovery site.\n\nCorrective Actions Taken\n\nSince December 4, 2012, which was during our audit, management initiated corrective\nactions to create or update 24 BIAs. Thirty-eight BIAs (53.5 percent) are considered\ncomplete and current for the 71 supported applications.20 The BIAs or IIAs for the\nremaining 33 applications are in various stages of completion. See Appendix E, Tables\n3 and 4 and Appendix F, Table 5 for a listing of these applications.\n\nRecommendations\n\nWe recommend the vice president, Engineering Systems, in coordination with the vice\npresident, Network Operations:\n\n1. Establish, implement, and test a disaster recovery plan for Engineering Systems and\n   Network Operations in                  that is commensurate with the sensitivity of\n   data, available resources, and level of risk for the applications and incorporates an\n   appropriate alternative site located far enough away from the                      that\n   it will not be affected by the same disaster.\n\n2. Timely complete or update, as appropriate, business impact or infrastructure impact\n   assessments for all applications supported by Engineering Systems.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with our findings and recommendation 2 and partially agreed with\nrecommendation 1.\n\nAddressing recommendation 1, management stated that the recommendation does not\ntake into consideration that the identified systems are off-line and have no impact on\nday-to-day processing of mail. However, management intends to create and conduct\nlimited testing of the DRP based on updated BIAs for each of the applications.\nFurthermore Network Operations will use the                 as their disaster recovery site\nfor the majority of the application and systems due to the high cost of implementation at\nalternative testing locations. The target implementation date is May 23, 2014.\n\nRegarding recommendation 2, management will complete or update, as appropriate,\nBIAs and IIAs for applications designated as critical or business-controlled. The target\nimplementation date is December 20, 2013.\n\nManagement also disagreed with the $102.4 million of other impact because they\nbelieve the OIG\xe2\x80\x99s analysis and underlying methodology to calculate financial impacts\n20\n     We did not assess the accuracy or completeness of the BIAs. We may do this in a future review.\n                                                           4\n\x0cEngineering Systems and Network Operations                                  IT-AR-13-007\n Disaster Recovery Plan -\n\n\nwas flawed and based on one individual\'s opinion. Further, management claimed the\nOIG never requested a team assessment of the projected recovery time.\n\nSee Appendix G for management\xe2\x80\x99s comments, in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations in the\nreport.\n\nRegarding recommendation 1, management asserted that the recommendation did not\ntake into consideration that the identified systems had no impact on mail processing.\nHowever, this assertion is premature until a DRP based on completed BIAs and IIAs is\ndeveloped.\n\nTo address management\'s disagreement regarding calculation of the other impact and\nthe recovery period, the OIG worked with management\'s designated subject matter\nexpert to calculate other impact and management had ample opportunity during the\nreview to complete additional risk assessments that could further refine residual risk and\nthe time needed to recover operations from a catastrophic event. Management did not\nprovide any support that they could recover the critical applications hosted or supported\nat the                    within 1 day.\n\nThe OIG considers both recommendations significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. These recommendations should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendations can be closed.\n\n\n\n\n                                             5\n\x0cEngineering Systems and Network Operations                                                     IT-AR-13-007\n Disaster Recovery Plan -\n\n\n\n                                Appendix A: Additional Information\n\nBackground\n\nPostal Service policy21 and generally accepted industry standards22 require all major IT\nsites to develop a DRP. A DRP is an information system-focused plan designed to\nrestore the operability of the target system, applications, or computer facility\ninfrastructure at an alternative site after an emergency. The DRP identifies key\npersonnel and priority procedures for relocating information systems operations to an\nalternative location and is activated after major system disruptions with long-term\neffects.\n\nPostal Service policy tasks the installation head to develop, maintain, and test the DRP.\nThe CISO Business Continuance Management group, the Information System Security\nofficer, and the application owner jointly determine the criticality designation by\nconsidering the impact of the information resource on numerous effects. Finally, each\napplication must have DRP documentation stored in the IT Artifact Library.\n\nObjective, Scope, and Methodology\n\nOur objective was to determine whether Engineering Systems and Network Operations\nmanagement at the                       has a DRP and whether the plan complies with\nPostal Service policies, industry standards, and best practices. We limited our audit to\nthe applications maintained and supported by Engineering Systems and Network\nOperations at the                    .\n\nTo accomplish this objective, we interviewed on-site                program managers and\nadministrators to determine who was responsible for network configurations, application\ndata, and building services restoration and priorities for disaster recovery. We\ncorroborated DRP and BIA and IIA responsibilities for the                      with the\nPostal Service\xe2\x80\x99s CISO and Business Continuity Planning and Infrastructure Relationship\nmanagement. We determined the status of BIA and IIA based on documentation in the\nIT Artifacts Library and EIR and from management\xe2\x80\x99s assertions for all 71 Engineering\nSystems-supported applications. Finally, we reviewed the 2011 VRAT23 responses\ncompleted by the former Engineering Systems Installation head and the 2010 COOP.\n\nWe conducted this performance audit from October 2012 through September 2013 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\n\n21\n   Handbook AS-805, Section 12.\n22\n   NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems.\n23\n   A questionnaire used by the Inspection Service to assess facility security.\n                                                         6\n\x0cEngineering Systems and Network Operations                                     IT-AR-13-007\n Disaster Recovery Plan -\n\n\nour findings and conclusions based on our audit objective. We discussed our\nobservations and conclusions with management on August 19, 2013 and included their\ncomments where appropriate.\n\nWe assessed the reliability of the transactions data from the eMARS system by\ninterviewing the Solutions Center Business Project leader. Specifically, we discussed\nwith an eMARS expert the transaction types, which transactions would require manual\nreentry, and how much time would be needed to enter the transactions manually if\neMars was not functional for determining other impact. We determined that the data\nwere sufficiently reliable for the purposes of this report.\n\nPrior Audit Coverage\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n                                              7\n\x0cEngineering Systems and Network Operations                                                          IT-AR-13-007\n Disaster Recovery Plan -\n\n\n\n                                        Appendix B: Other Impact\n\n            Recommendation                           Impact Category                       Amount\n                  1                                    IT Security24                     $102,379,861\n\nComputer software, networks, and data are vulnerable or at risk of loss due to disruption\nof critical Postal Service operations and services longer than necessary because a DRP\nwas not available and tested. Figure 1 shows the risk associated with three recovery\nperiods.\n\n        Figure 1. Projected IT Security Risk \xe2\x80\x93 Without Disaster Recovery Plan\n\n\n\n\n          Source: Ponemon Institute \xe2\x80\x93 Cost Framework, OIG analysis.\n\nWe calculated the other impact of $102,379,861 because a DRP (and supporting BIAs\nand IIAs) was not available and tested for the 16 applications at the               .\nIn determining the risk associated with the loss of operations at the              ,\nwe selected the eMARS application as a representative system because its production\nservers are at the                   and it is used throughout the Postal Service.\n\n\n24\n  Computer software, networks, and data that are vulnerable or at risk of loss because of fraud, inappropriate or\nunauthorized disclosure of sensitive data, or disruption of critical Postal Service operations and services.\n                                                            8\n\x0cEngineering Systems and Network Operations                                                       IT-AR-13-007\n Disaster Recovery Plan -\n\n\nThrough interviews with the eMARS Solutions Center Business project leader and\nmanager \xe2\x80\x94 designated by management as the point of contact and subject matter\nexpert for eMARS \xe2\x80\x94 we determined that a full functional recovery of the system at an\nalternative location outside the                without a DRP may take 8 to 18\nweeks. However, the 18 weeks represents the eMARS manager\'s worst case scenario,\nwhile 8 weeks would be a more reasonable recovery period.\n\nThe vice president, Network Operations, stated that, in his opinion, the best case\nscenario should be less than 1 day because he could quickly provide the funding and\nresources needed to restore this application. No information was provided to discount\nthe 18-week recovery period nor was any support provided for the less than 1-day\nrecovery period. We were unable to find any comparable authoritative sources for a\nsystem that provided an \'average\' recovery period, so we used the 8-week recovery\nperiod, as it represents a reasonable recovery period (in an environment without an\nestablished or tested DRP and all associated BIAs and IIAs completed) and the eMARS\nmanager considers it to be the most likely outcome. As a result of this audit,\nmanagement asserted that they have taken steps to mitigate the potential loss of\nfunctionality caused by a disaster by pursuing logistical support and equipment so the\nPostal Service can use a                      as an alternative to the facility at\n\n\nWe worked with the eMARS manager to obtain eMARS transactional and labor cost\ndata to calculate the cost of not having the eMARS system available. Using the cost\nframework published in a white paper25 by the Ponemon Institute, we conservatively\ncalculated the risk associated with the loss of functionality of the\n                                      for one of the 71 supported applications as follows:\n\n\xef\x82\xa7    To determine direct costs26 related to the loss of eMARS system functionality, we\n     worked closely with management to develop the factors for this calculation. The\n     weekly manual labor cost to process maintenance and order parts is about\n     $12.8 million, or $102,379,861 for the 8-week period. We based the calculation on\n     average required weekly labor hours (252,46627) and the average hourly rate for a\n     maintenance worker ($50.69).28\n\n\xef\x82\xa7    We did not include a probability factor in our calculations because, according to best\n     practices, \xe2\x80\x9cwhen the consequences of a risk are severe, probability is misleading in\n     assessing the risk\'s importance. A risk with catastrophic consequences is important,\n     even if it is considered unlikely.\xe2\x80\x9d29\n\n\n25\n   Ponemon Institute, Understanding the Cost of Data Center Downtime: An Analysis of the Financial Impact on\nInfrastructure Vulnerab ility, March 2011.\n26\n   An expense that can be assigned to or identified with a specific activity (Business Dictionary.com).\n27\n   A rounded number of hours that is the average required weekly labor for processing transactions manually\n(1,770,538 transactions at 8.55556 minutes per transaction divided into 60 minutes per hour).\n28\n   Hourly wages rate given by management.\n29\n   Gartner: Use the Risk Pyramid to Assess Risk in Five Minutes, G00210317, May 2, 2011. Gartner, Inc. is the\nworld\'s leading IT research and advisory company that delivers technology-related insight to their clients.\n                                                           9\n\x0cEngineering Systems and Network Operations                                    IT-AR-13-007\n Disaster Recovery Plan -\n\n\nWe did not include the loss of               support for the other engineering applications\nin the event of a disaster in the other impact calculation, although this would put\nadditional data at risk of loss. Our other impact calculation represents one measure of\npotential exposure to the Postal Service in the event of a disaster at the\n          however, this should not be considered the maximum exposure or risk to the\nPostal Service.\n\n\n\n\n                                             10\n\x0cEngineering Systems and Network Operations                                             IT-AR-13-007\n Disaster Recovery Plan -\n\n\n              Appendix C: Applications Hosted at the\n\nSixteen business and infrastructure applications are hosted at the                               , as\nshown in Table 1.\n\n                Table 1. Applications Hosted at the\n\n                                               Application Name\n                                   Automated Parcel Bundle Sorter Image\n                          1        Controller\n                          2        eMARS\n                          3        Engineering Intranet\n                          4        Flat Identification Code Sort\n                          5        Forwarding Control System\n                          6        Integrated Data System\n                          7        Intelligent Mail Enterprise30\n                                   KONFIG\xc2\xae Configuration Management II\n                                   Enterprise Configuration Management\n                          8        System\n                                   Mail Processing Infrastructure\n                          9        Workstation\n                                   Next Generation Transaction\n                          10       Concentrator\n                                   Powered Industrial Vehicle Management\n                          11       System\n                          12       Remote Computer Reader\n                          13       Remote Directory File Monitor\n                          14       TeamTrack\n                                   Technology Management Office System\n                          15       (TMOS)31\n                                   Web Enabled Automated Package\n                                   Processing System (APPS) Processing\n                                   Results Log Message (PRLM) Analysis\n                          16       Tool\n                     Sources: Applications program managers and system administrator\n                     interviews and the EIR.\n\n\n\n\n                                                   11\n\x0cEngineering Systems and Network Operations                                                        IT-AR-13-007\n Disaster Recovery Plan -\n\n\n       Appendix D: Impact Assessments Completed for Engineering-Supported\n                                 Applications\n\nManagement has completed BIAs for 38 of 71 supported applications (Table 2). The\nremaining 33 applications include 16 applications that require an initial assessment\n(Appendix E, Table 3 and Table 4) and 17 applications that need updated assessments\n(Appendix E, Table 5). The CISO included some applications in this list that are in the\ndevelopment stage since policy32 requires a completed and approved BIA as part of the\nC&A package33 before that development application moves into production. We will\nupdate the category in any subsequent reviews or audits.\n\nCompletion of the BIAs or IIAs assists management in restoring the most essential\napplications in the proper order. Many of these applications are essential for mail\nprocessing plant operations and moving the mail.\n\n                             Table 2. Completed Impact Assessments\n\n Index                                                                         Abbreviation        Completion\nNumber                         Application Name                                 or Acronym           Date 34\n  1342       Transportation Optimization Plan and Scheduler                    TOPS                  2/11/2013\n  1351       Logistics Contract Management System                              LCMS                   2/1/2013\n  1360       Yard Management System                                            YMS                   4/11/2013\n  2693       E-Maintenance Activity reporting and Scheduling                   eMARS                 4/22/2013\n  2398       Concentration and Convoy Tracking                                 CONCON                 2/1/2013\n  3062       Rail Management Information System                                RMIS                  7/19/2013\n  3075       Transportation Routing Information Panel System                   TRIPS                 7/19/2013\n  3108       Surface Air Management System                                     S-AMS                 5/15/2012\n  3137       Postal Automated Redirection System                               PARS                  2/20/2013\n  3238       Intelligent Mail Data Acquisition                                 IMDAS                 4/24/2013\n  3267       National Traffic Management System                                NTMS                  4/29/2013\n  3466       E-Facilities Management System                                    EFMS                  4/27/2012\n             Biohazard Detection System Detection System\n     3520    National Controller                                               BDSNAT                  4/27/2012\n     3683    Surface Air Support System Mobile                                 SASS Mobile             3/10/2013\n     3740    International Document Portal                                     IDP                     2/20/2013\n     3797    External Label List System                                        ELLS                    8/13/2012\n     3849    Network Operations - Help                                         NOMSHELP                7/18/2013\n     3940    Mail and Image Reporting System                                   MIRS                    4/14/2011\n     3941    National Air and Space System Web                                 NASSWEB                 3/14/2013\n     3943    Mobile Repossession and Reassignment                              MRR                     6/28/2013\n     4003    Directory Services                                                DIRSERV                 2/26/2012\n\n\n\n32\n   Handbook AS-805.\n33\n   A formal security analysis and management approval process that assesses residual risk before the resource is put\ninto production.\n34\n   Management initiated corrective actions to create or update 24 BIAs subsequent to the initiation of our audit on\nDecember 4, 2012.\n                                                          12\n\x0c Engineering Systems and Network Operations                                       IT-AR-13-007\n  Disaster Recovery Plan -\n\n\n                    Table 2. Completed Impact Assessments (Continued)\n\n  Index                                                            Abbreviation   Completion\n Number                   Application Name                          or Acronym      Date\n   4102 Enterprise Energy Management System                        EEMS            10/10/2012\n   4130 Global Business System                                     GBS              4/27/2012\n        Lean Six Sigma Continuous Improvement Project\n   4192 Tracker                                                    INSTANTIS           5/3/2013\n   4206 Intelligent Mail Enterprise                                IME               12/20/2011\n   4212 Quick Test Professional                                    QTP                2/10/2012\n   4268 Technology Management Office System                        TMOS               2/13/2013\n        Electronic Parcel Locker Central Management\n   4293 System                                                     ePLCMS            10/20/2011\n   4303 Plant Scanning System                                      PSS                 3/7/2012\n   4308 Move To Competitive Registration System                    MTCRS              1/31/2013\n   4317 Automated Parcel Bundle Sorter Image Controller            APBS-IC             4/9/2013\n   4327 Variance Modules                                           VM                 1/24/2013\n   4336 Outbound Data Concentrator                                 ODC                8/23/2013\n   4350 Singulation Scan Induction Unit                            SSIU               12/4/2012\n   4353 Inbound Custom Data Concentrator                           IDC                 5/3/2013\n   5029 ID Code Sorting Server                                     ICS-SERVER          1/3/2012\n   6186 Networks Intranet                                          NI                 3/15/2013\n                                                                   TEAM\n   None      Team Track                                            TRACK              6/13/2013\nSource: CISO and Engineering Systems status as of July 19, 2013.\n\n\n\n\n                                                       13\n\x0c Engineering Systems and Network Operations                                              IT-AR-13-007\n  Disaster Recovery Plan -\n\n\n\n                       Appendix E: Impact Assessments Not Completed\n\n As a result of our audit, Engineering Systems and Network Operations management are\n completing the initial assessment by following the BIA or IIA process for 10 business\n and infrastructure applications that were not completed and reside at the\n           KONFIG is a commercial off-the-shelf application and, along with the\n Engineering intranet, is waiting for Engineering Systems and CISO to determine the\n appropriate assessment needed. Also noted in management\'s comments are those\n applications slated for retirement or consolidation with another application.\n\n            Table 3. Impact Assessments Not Completed \xe2\x80\x93\n\n  Index                                                              Abbreviation or     Management\n Number                  Application Name                                Acronym           Comment\n   3208      Flat ID Code Sort                                      FICS               In process\n                                                                                       In signature\n   4168      Web Enabled APPS PRLM Analysis Tool                    WEBAPAT            process\n   4309      Mail Processing Infrastructure Workstation             MPIW               In process\n   4337      Next Generation Transaction Concentrator               NGTC               In process\n   6116      Remote Computer Reader                                 RCR                In process\n   None      KONFIG                                                 KONFIG             In process\n                                                                                       To be\n                                                                                       consolidated\n   None      Remote Directory File Monitor                          RDFM               with PARS\n                                                                                       To be\n                                                                                       consolidated\n   None      Forwarding Control System                              FCS                with PARS\n                                                                    ENGINEERING        Awaiting\n   None      Engineering Intranet                                   INTRANET           determination\n   None      Integrated Data System                                 IDS                In process\nSource: CISO and Engineering Systems s tatus as of July 19, 2013.\n\n\n Engineering Systems and Network Operations management are completing the initial\n assessment by either following the BIAs or IIA process for six business and\n infrastructure applications that were not completed and reside at sites other than the\n                     (see Table 4).\n\n\n\n\n                                                        14\n\x0cEngineering Systems and Network Operations                                           IT-AR-13-007\n Disaster Recovery Plan -\n\n\n\n                        Table 4. Impact Assessments Not Completed\n\n\n    Index                                                  Abbreviation\n   Number         Application Name                         or Acronym   Management Comment\n     2718 National Directory Support System                NDSS         In process\n          Vehicle Tracking Analysis and\n     3074 Performance System                               VTAPS        In retirement process\n          Change of Address Reporting\n     3837 System                                           None         In signature process\n                                                           SERVICE\n    4213      Service Test                                 TEST         In retirement process\n              Equipment Inventory Management                            Consolidating with\n    4241      System                                       EIMS         Remedy 7\n                                                                        Pending scheduling, no\n    4271      Inspection Service Toolkit                   IS TOOLKIT   current funding\n Source: CISO and Engineering Systems status as of July 19, 2013.\n\n\n\n\n                                                     15\n\x0c Engineering Systems and Network Operations                                             IT-AR-13-007\n  Disaster Recovery Plan -\n\n\n                     Appendix F: Impact Assessments Requiring Update\n\n BIAs and IIAs for 17 business and infrastructure applications supported by Engineering\n need to be updated.\n\n                        Table 5. Impact Assessments Requiring Update\n\n  Index                                                     Abbreviation   Completion   Management\n Number               Application Name                       or Acronym        Date      Comment\n             Web Mail Condition Reporting                                  3/17/2009\n   1339      System                                         WEB MCRS                    In process\n             Distribution Table Maintenance                                4/7/2009     In signature\n   1343      System                                         DTMS                        process\n             Web Load Restraint Reporting                                  6/9/2010\n   1344      System                                         WEBLRRS                     In retirement\n   1362      Web End-of-Run                                 WEBEOR         3/31/2009    In process\n             Mail Processing Equipment (MPE)                               2/7/2006\n   1373      Watch                                          MPEWATCH                    In process\n             Web Management Operating Data                                 2/4/2008\n   1395      System                                         WEBMODS                     In process\n             Web Enabled Service Standard                                  5/20/2009\n   2716      Directory                                      WEB SSD                     In process\n             Web Remote Encoding Center                                    8/4/2009\n             Operations Analysis Database\n   3221      System                                         WEBROADS                    In process\n             Business Reply Mail Accounting                                4/6/2006\n   3236      System                                         BRMAS                       In process\n   3263      Deployment Scheduler                           EDEPLOY        7/14/2009    In process\n             Mail Processing Operating Plan                                10/15/2009\n   3311      System                                         MPOPS                       In process\n   3327      Statis Table Support System                    STSS           3/4/2008     In process\n             Powered Industrial Vehicle                                    6/22/2006\n   3630      Management System                              PIVMS                       In process\n             Vehicle Information Transportation                            6/1/2008\n   3636      Analysis and Logistics Web                     VITAL WEB                   In process\n                                                                           3/28/2006    To be\n             Postal Automated Redirection                                               consolidated\n   3696      System Database System                         PADS                        with PARS\n   3730      Envelope Reflectance Meter III                 ERM-III        3/16/2007    In process\n             Surface Air Management System -                SAMS-          5/19/2011\n   3942      Alaska                                         ALASKA                      In process\nSource: CISO and Engineering Systems status as of July 19, 2013.\n\n\n\n\n                                                       16\n\x0cEngineering Systems and Network Operations                   IT-AR-13-007\n Disaster Recovery Plan -\n\n\n                         Appendix G: Management\'s Comments\n\n\n\n\n                                             17\n\x0cEngineering Systems and Network Operations        IT-AR-13-007\n Disaster Recovery Plan -\n\n\n\n\n                                             18\n\x0cEngineering Systems and Network Operations        IT-AR-13-007\n Disaster Recovery Plan -\n\n\n\n\n                                             19\n\x0c'